diff --git a/modules/web01/gitea/default.nix b/modules/web01/gitea/default.nix index de2f9c3..0d72aff 100644 --- a/modules/web01/gitea/default.nix +++ b/modules/web01/gitea/default.nix @@ -4,7 +4,7 @@ let # make the logs for this host "public" so that they show up in e.g. metrics publog = vhost: lib.attrsets.unionOfDisjoint vhost { extraConfig = (vhost.extraConfig or "") + '' - access_log /var/log/nginx/public.log vcombined; + access_log /var/log/nginx/public.log vcombined compression; ''; }; in diff --git a/modules/web01/goaccess.nix b/modules/web01/goaccess.nix index bc9dcc7..b8c5186 100644 --- a/modules/web01/goaccess.nix +++ b/modules/web01/goaccess.nix @@ -1,14 +1,27 @@ { stdenv, lib, pkgs, ... }: let - domain = "metrics.gchq.icu"; + domain = "metrics.clan.lol"; + priv_goaccess = "/var/lib/goaccess"; + pub_goaccess = "/var/www/goaccess"; + + user-agent-list = pkgs.writeText "browsers.list" '' + # List of browsers and their categories + # e.g., WORD delimited by tab(s) \t TYPE + # TYPE can be any type and it's not limited to the ones below. + github-actions-checkout GitHubActions + git Git + connect-go Go + Go-http-client Go + curl Curl + ''; in { users.users.goaccess = { isSystemUser = true; group = "nginx"; createHome = true; - home = "/var/www/goaccess"; + home = "${pub_goaccess}"; homeMode = "0774"; }; @@ -17,8 +30,18 @@ in access_log /var/log/nginx/private.log vcombined; ''; + systemd.tmpfiles.rules = [ + "d ${priv_goaccess} 0755 goaccess nginx -" + "d ${priv_goaccess}/db 0755 goaccess nginx -" + "d ${pub_goaccess} 0755 goaccess nginx -" + ]; + + + # --browsers-file=/etc/goaccess/browsers.list + # https://raw.githubusercontent.com/allinurl/goaccess/master/config/browsers.list systemd.services.goaccess = { description = "GoAccess server monitoring"; + serviceConfig = { User = "goaccess"; Group = "nginx"; @@ -26,14 +49,22 @@ in ${pkgs.goaccess}/bin/goaccess \ -f /var/log/nginx/public.log \ --log-format=VCOMBINED \ + --ignore-crawlers \ + --browsers-file=${user-agent-list} \ --real-time-html \ + --all-static-files \ --html-refresh=30 \ + --persist \ + --restore \ + --db-path=${priv_goaccess}/db \ --no-query-string \ + --unknowns-log=${priv_goaccess}/unknowns.log \ + --invalid-requests=${priv_goaccess}/invalid-requests.log \ --anonymize-ip \ --ignore-panel=HOSTS \ --ws-url=wss://${domain}:443/ws \ --port=7890 \ - -o index.html + -o "${pub_goaccess}/index.html" ''; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Type = "simple"; @@ -41,14 +72,14 @@ in RestartSec = "10s"; # hardening - WorkingDirectory = "/var/www/goaccess"; + WorkingDirectory = "${pub_goaccess}"; NoNewPrivileges = true; PrivateTmp = true; ProtectHome = "read-only"; ProtectSystem = "strict"; SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io"; ReadOnlyPaths = "/"; - ReadWritePaths = [ "/proc/self" "/var/www/goaccess" ]; + ReadWritePaths = [ "/proc/self" "${pub_goaccess}" "${priv_goaccess}" ]; PrivateDevices = "yes"; ProtectKernelModules = "yes"; ProtectKernelTunables = "yes"; @@ -61,7 +92,7 @@ in services.nginx.virtualHosts."${domain}" = { addSSL = true; enableACME = true; - root = "/var/www/goaccess"; + root = "${pub_goaccess}"; locations."/ws" = { proxyPass = "http://127.0.0.1:7890";